Go to main content

Oracle® Solaris 11.4 Release Notes

Exit Print View

Updated: October 2018
 
 

Security Issues

This section describes issues with the security software in the Oracle Solaris 11.4 release.

SPARC Firmware Update Might Be Needed for sxadm to Report HW_BTI Correctly (28150745)

The sxadm command in Oracle Solaris 11.4 uses the HW_BTI security extension to provide the status of hardware-based mitigation for CVE-2017-5715 (Branch Target Injection, Spectre Variant 2) in the SPARC firmware. For more information, see the sxadm(8) man page.

In order for sxadm to determine whether this mitigation is enabled, the firmware must be updated to a version that communicates this status to the operating system. If the firmware is not updated, then sxadm reports that HW_BTI is not supported, even if HW_BTI is enabled.

The following table shows the minimum firmware version that supports the HW_BTI security extension. For the given platform, make sure you are running the specified firmware version or newer.

SPARC M8, T8, M7, T7, S7
SPARC Firmware 9.8.6
SPARC M6, M5, T5
SPARC Firmware 9.6.23
SPARC T4
SPARC Firmware 8.9.11

For more information about SPARC mitigations for CVE-2017-5715, see “Oracle Solaris on SPARC — CVE-2017-5753 (Spectre v1), CVE-2017-5715 (Spectre v2), and CVE-2017-5754 (Meltdown) Vulnerabilities (Doc ID 2349278.1)” on support.oracle.com.

ktkt_warn Service Is Disabled by Default (15774352)

The ktkt_warn service, used to renew a user's Kerberos credentials and warn about credential expiry, is now disabled by default. The following error message is displayed:

kinit:  no ktkt_warnd warning possible

Workaround: Choose one of the following workarounds to enable the service:

  • If the system already has Kerberos configured, use the svcadm command to enable the service.

    # svcadm enable ktkt_warn
  • If Kerberos has not been configured, run the kclient utility to configure Kerberos, which will also enable the ktkt_warn service.

    For more information about the kclient utility, see the kclient(8) man page.

OpenLDAP Package Update Issue (21577683)

If you have made manual modifications to the LDAP configuration files /etc/openldap/ldap.conf and /etc/openldap/slapd.conf, the security settings for the TLS cipher suite might be incorrect.

Workaround: If you maintain your own LDAP configuration files, make the following modifications to maintain a secure system:

  • In the /etc/openldap/ldap.conf file, set the TLS_PROTOCOL_MIN and TLS_CIPHER_SUITE values as follows:

    TLS_PROTOCOL_MIN   3.2
    TLS_CIPHER_SUITE   TLSv1.2:!aNULL:!eNULL:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA
  • In the /etc/openldap/slapd.conf, set the TLSProtocolMin and TLSCipherSuite values as follows:

    TLSProtocolMin  770
    TLSCipherSuite  TLSv1.2:!aNULL:!eNULL:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA
    

Insecure Algorithms Disabled in OpenSSH

By default, ssh-dss keys are disabled. You must remove the existing ssh-dss keys from the authorized_keys files and configure the new ssh-rsa keys. Otherwise, you might not be able to connect to the server after the server has been upgraded to Oracle Solaris 11.4.

By default, the diffie-hellman-group1-sha1 key exchange method is disabled. Only peers that support this method should be upgraded to support a secure key exchange method.


Note -  SSH protocol version 1 is no longer supported.